iSAC decoder: Don't read past the end of the buffer of encoded bytes

Bug: chromium:825524 Change-Id: Iff40a9fd62a34474af71b51dd3831a16412fbf3b Reviewed-on: https://webrtc-review.googlesource.com/66361 Reviewed-by: Henrik Lundin <henrik.lundin@webrtc.org> Commit-Queue: Karl Wiberg <kwiberg@webrtc.org> Cr-Commit-Position: refs/heads/master@{#22748}
2018-04-05 11:36:57 +02:00
parent 844876d050
commit 338f58d95c
1 changed files with 4 additions and 2 deletions
--- a/modules/audio_coding/codecs/isac/main/source/isac.c
+++ b/modules/audio_coding/codecs/isac/main/source/isac.c
@ -1266,8 +1266,10 @@ static int Decode(ISACStruct* ISAC_main_inst,

        /* It might be less due to garbage. */
        if ((numDecodedBytesUB != lenNextStream) &&
-            (numDecodedBytesUB != (lenNextStream -
-                encoded[numDecodedBytesLB + 1 + numDecodedBytesUB]))) {
+            (numDecodedBytesLB + 1 + numDecodedBytesUB >= lenEncodedBytes ||
+             numDecodedBytesUB !=
+                 (lenNextStream -
+                  encoded[numDecodedBytesLB + 1 + numDecodedBytesUB]))) {
          instISAC->errorCode = ISAC_LENGTH_MISMATCH;
          return -1;
        }